This invention relates generally to analysis of program code and, more specifically, relates to static and run-time analysis of program code.
This section is intended to provide a background or context to the invention disclosed below. The description herein may include concepts that could be pursued, but are not necessarily ones that have been previously conceived, implemented or described. Therefore, unless otherwise explicitly indicated herein, what is described in this section is not prior art to the description in this application and is not admitted to be prior art by inclusion in this section.
A main security threat in web and mobile applications is leakage of secret data. Such leakage may include private information, such as a person's contact list, as well as confidential information like sensitive email content (especially under a “bring your own device” policy). An application may also leak details about its internal implementation, such as the type and version of its backend database, which could be used by an attacker in crafting other attacks (such as an SQL, Structured Query Language, injection attack for the example of a database).
An important source of difficulty in dealing with information leakage is to decide whether the released information indeed constitutes a secret. Here is an example from the mobile telecommunications area.
The International Mobile Station Equipment Identity (IMEI) is a number, usually unique, that identifies 3GPP (third Generation Partnership Project) and iDEN (integrated Digital Enhanced Network) mobile phones as well as certain satellite phones. The IMEI consists of 16 digits: the Type Allocation Code (TAC) is the first 8 digits. The TAC provides the model and origin of the device. The next 6 digits are a manufacturer-defined number known as SNR (serial number). Finally, the last digit is a Luhn check digit, which is a digit created based on the Luhn algorithm and used to validate the IMEI.
The standard approach to detection of information leakage problems is to track whether there is data flow from a source statement reading confidential information to a sink statement releasing this information to the outside environment. See, for instance, Tripp et al., “TAJ: Effective Taint Analysis of Web Applications”, PLDI'09, Jun. 15-20, 2009, Dublin, Ireland. If there is source-to-sink data flow of sensitive information, then a leakage vulnerability is reported.
However, in certain instances, this source-to-sink data flow of information may not actually be a vulnerability.